Document version of OSV schema #113
Comments
|
In the absence of an explicit value, the value is assumed to be "1.0.0" per https://ossf.github.io/osv-schema/#schema_version-field, which predates the addition of this field. The OSV schema is intended to be backwards compatible, in that newer versions do not change the meaning of existing fields. |
|
That said, we can very easily update the schema_versions here, we just haven't had the need to adopt the newer fields added since 1.0.0 yet. |
|
Can I suggest that PyPa document this in the README.md? E.g. "We use OSV 1.0.0 in YAML format for the files" and if you ever change you can update the docs. Thanks |
di
changed the title
|
I'd merge a PR with this change. I've updated the issue title accordingly. Thanks! |
|
The confusion here is why ossf/osv-schema#131 and ossf/osv-schema#132 would be useful to include. |
So other OSV based YAML vuln databases include the schema_version tag (e.g. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/antlr4-java/OSV-2022-667.yaml), which version of the OSV schema is PyPa currently using?
The only reference I found was in #73 which points to the current OSV schema file (which doesn't require the schema_version tag, but it's something I've suggested in ossf/osv-schema#116)
The text was updated successfully, but these errors were encountered: